Chapter 3 - Security Management Concepts & Principles.pdf
aishahmrawy
18 views
20 slides
Mar 08, 2025
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
Security Management Concepts & Principles
Slide Content
Information Systems Security
Presented By
Dr. Mohamed Marie
Presented By
Dr. Mohamed Marie
Chapter 3
Security ManagementConcepts
and Principles
This chapter presents the following:
Security Management Concepts and Principles
Protection Mechanisms
Change Control/Management
Data Classification
Security ManagementConcepts
and Principles
This chapter presents the following:
Security Management Concepts and Principles
Protection Mechanisms
Change Control/Management
Data Classification
Protection Mechanisms
Anotheraspectofsecuritysolutionconceptsandprinciplesis
theelementofprotectionmechanisms.Thesearecommon
characteristicsofsecuritycontrols.Notallsecuritycontrols
musthavethem,butmanycontrolsoffertheirprotectionfor
confidentiality,integrity,andavailabilitythroughtheuse
ofthesemechanisms.Thesemechanismsincludeusing
multiplelayersorlevelsofaccess,employingabstraction,
hidingdata,andusingencryption.
Anotheraspectofsecuritysolutionconceptsandprinciplesis
theelementofprotectionmechanisms.Thesearecommon
characteristicsofsecuritycontrols.Notallsecuritycontrols
musthavethem,butmanycontrolsoffertheirprotectionfor
confidentiality,integrity,andavailabilitythroughtheuse
ofthesemechanisms.Thesemechanismsincludeusing
multiplelayersorlevelsofaccess,employingabstraction,
hidingdata,andusingencryption.
Protection Mechanisms
Layering
Layering,alsoknownasdefenseindepth,issimplytheuseofmultiple
controlsinaseries.Noonecontrolcanprotectagainstallpossible
threats.Usingamultilayeredsolutionallowsfornumerous,different
controlstoguardagainstwhateverthreatscometopass.Whensecurity
solutionsaredesignedinlayers,mostthreatsareeliminated,mitigated,
orthwarted.
Usinglayersinaseriesratherthaninparallelisimportant.
Performingsecurityrestrictionsinaseriesmeanstoperformoneafter
theotherinalinearfashion.Onlythroughaseriesconfigurationwilleach
attackbescanned,evaluated,ormitigatedbyeverysecuritycontrol.A
singlefailureofasecuritycontroldoesnotrendertheentiresolution
ineffective.Ifsecuritycontrolswereimplementedinparallel,athreat
couldpassthroughasinglecheckpointthatdidnotaddressitsparticular
maliciousactivity.Serialconfigurationsareverynarrowbutverydeep,
whereasparallelconfigurationsareverywidebutveryshallow.
Parallelsystemsareusefulindistributedcomputingapplications,but
parallelismisnotoftenausefulconceptintherealmofsecurity.
Layering
Layering,alsoknownasdefenseindepth,issimplytheuseofmultiple
controlsinaseries.Noonecontrolcanprotectagainstallpossible
threats.Usingamultilayeredsolutionallowsfornumerous,different
controlstoguardagainstwhateverthreatscometopass.Whensecurity
solutionsaredesignedinlayers,mostthreatsareeliminated,mitigated,
orthwarted.
Usinglayersinaseriesratherthaninparallelisimportant.
Performingsecurityrestrictionsinaseriesmeanstoperformoneafter
theotherinalinearfashion.Onlythroughaseriesconfigurationwilleach
attackbescanned,evaluated,ormitigatedbyeverysecuritycontrol.A
singlefailureofasecuritycontroldoesnotrendertheentiresolution
ineffective.Ifsecuritycontrolswereimplementedinparallel,athreat
couldpassthroughasinglecheckpointthatdidnotaddressitsparticular
maliciousactivity.Serialconfigurationsareverynarrowbutverydeep,
whereasparallelconfigurationsareverywidebutveryshallow.
Parallelsystemsareusefulindistributedcomputingapplications,but
parallelismisnotoftenausefulconceptintherealmofsecurity.
Protection Mechanisms
Layering
Thinkofphysicalentrancestobuildings.Aparallelconfigurationisused
forshoppingmalls.Therearemanydoorsinmanylocationsaroundthe
entireperimeterofthemall.Aseriesconfigurationwouldmostlikelybe
usedinabankoranairport.Asingleentranceisprovided,andthat
entranceisactuallyseveralgatewaysorcheckpointsthatmustbe
passedinsequentialordertogainentryintoactiveareasofthe
building.Layeringalsoincludestheconceptthatnetworkscomprise
numerousseparateentities,eachwithitsownuniquesecuritycontrolsand
vulnerabilities.Inaneffectivesecuritysolution,thereisasynergybetween
allnetworkedsystemsthatcreatesasinglesecurityfront.Usingseparate
securitysystemscreatesalayeredsecuritysolution.
Layering
Thinkofphysicalentrancestobuildings.Aparallelconfigurationisused
forshoppingmalls.Therearemanydoorsinmanylocationsaroundthe
entireperimeterofthemall.Aseriesconfigurationwouldmostlikelybe
usedinabankoranairport.Asingleentranceisprovided,andthat
entranceisactuallyseveralgatewaysorcheckpointsthatmustbe
passedinsequentialordertogainentryintoactiveareasofthe
building.Layeringalsoincludestheconceptthatnetworkscomprise
numerousseparateentities,eachwithitsownuniquesecuritycontrolsand
vulnerabilities.Inaneffectivesecuritysolution,thereisasynergybetween
allnetworkedsystemsthatcreatesasinglesecurityfront.Usingseparate
securitysystemscreatesalayeredsecuritysolution.
Protection Mechanisms
Abstraction
Abstractionisusedforefficiency.Similarelementsareputintogroups,
classes,orrolesthatareassignedsecuritycontrols,restrictions,or
permissionsasacollective.Thus,theconceptofabstractionisusedwhen
classifyingobjectsorassigningrolestosubjects.Theconceptof
abstractionalsoincludesthedefinitionofobjectandsubjecttypesorof
objectsthemselves(thatis,adatastructureusedtodefineatemplatefora
classofentities).Abstractionisusedtodefinewhattypesofdataan
objectcancontain,whattypesoffunctionscanbeperformedonorby
thatobject,andwhatcapabilitiesthatobjecthas.Abstractionsimplifies
securitybyenablingyoutoassignsecuritycontrolstoagroupofobjects
collectedbytypeorfunction.
Abstraction
Abstractionisusedforefficiency.Similarelementsareputintogroups,
classes,orrolesthatareassignedsecuritycontrols,restrictions,or
permissionsasacollective.Thus,theconceptofabstractionisusedwhen
classifyingobjectsorassigningrolestosubjects.Theconceptof
abstractionalsoincludesthedefinitionofobjectandsubjecttypesorof
objectsthemselves(thatis,adatastructureusedtodefineatemplatefora
classofentities).Abstractionisusedtodefinewhattypesofdataan
objectcancontain,whattypesoffunctionscanbeperformedonorby
thatobject,andwhatcapabilitiesthatobjecthas.Abstractionsimplifies
securitybyenablingyoutoassignsecuritycontrolstoagroupofobjects
collectedbytypeorfunction.
Protection Mechanisms
Data Hiding
Datahidingisexactlywhatitsoundslike:preventingdatafrombeing
discoveredoraccessedbyasubjectbypositioningthedatainalogical
storagecompartmentthatisnotaccessibleorseenbythesubject.
Keepingadatabasefrombeingaccessedbyunauthorizedvisitorsisa
formofdatahiding,asisrestrictingasubjectatalowerclassification
levelfromaccessingdataatahigherclassificationlevel.
Preventinganapplicationfromaccessinghardwaredirectlyisalsoa
formofdatahiding.Datahidingisoftenakeyelementinsecuritycontrols
aswellasinprogramming.
Data Hiding
Datahidingisexactlywhatitsoundslike:preventingdatafrombeing
discoveredoraccessedbyasubjectbypositioningthedatainalogical
storagecompartmentthatisnotaccessibleorseenbythesubject.
Keepingadatabasefrombeingaccessedbyunauthorizedvisitorsisa
formofdatahiding,asisrestrictingasubjectatalowerclassification
levelfromaccessingdataatahigherclassificationlevel.
Preventinganapplicationfromaccessinghardwaredirectlyisalsoa
formofdatahiding.Datahidingisoftenakeyelementinsecuritycontrols
aswellasinprogramming.
Protection Mechanisms
Encryption
Encryptionistheartandscienceofhidingthemeaningorintentofa
communicationfromunintendedrecipients.
Encryptioncantakemanyformsandbeappliedtoeverytypeof
electroniccommunication,includingtext,audio,andvideofiles,aswell
asapplicationsthemselves.Encryptionisanimportantelementinsecurity
controls,especiallyinregardtothetransmissionofdatabetween
systems.Therearevariousstrengthsofencryption,eachofwhichis
designedand/orappropriateforaspecificuseorpurpose.
Encryption
Encryptionistheartandscienceofhidingthemeaningorintentofa
communicationfromunintendedrecipients.
Encryptioncantakemanyformsandbeappliedtoeverytypeof
electroniccommunication,includingtext,audio,andvideofiles,aswell
asapplicationsthemselves.Encryptionisanimportantelementinsecurity
controls,especiallyinregardtothetransmissionofdatabetween
systems.Therearevariousstrengthsofencryption,eachofwhichis
designedand/orappropriateforaspecificuseorpurpose.
Change Control/Management
Anotherimportantaspectofsecuritymanagementisthecontrolormanagementof
change.Changeinasecureenvironmentcanintroduceloopholes,overlaps,
missingobjects,andoversightsthatcanleadtonewvulnerabilities.Theonly
waytomaintainsecurityinthefaceofchangeistosystematicallymanage
change.Thisusuallyinvolvesextensiveplanning,testing,logging,auditing,and
monitoringofactivitiesrelatedtosecuritycontrolsandmechanisms.The
recordsofchangestoanenvironmentarethenusedtoidentifyagentsofchange,
whetherthoseagentsareobjects,subjects,programs,communicationpathways,or
eventhenetworkitself.
Thegoalofchangemanagementistoensurethatanychangedoesnotleadto
reducedorcompromisedsecurity.Changemanagementisalsoresponsiblefor
makingitpossibletorollbackanychangetoaprevioussecuredstate.Change
managementcanbeimplementedonanysystemdespitethelevelofsecurity.
Ultimately,changemanagementimprovesthesecurityofanenvironmentby
protectingimplementedsecurityfromunintentional,tangential,oraffected
diminishments.Althoughanimportantgoalofchangemanagementistoprevent
unwantedreductionsinsecurity,itsprimarypurposeistomakeallchanges
subjecttodetaileddocumentationandauditingandthusabletobereviewed
andscrutinizedbymanagement.
Anotherimportantaspectofsecuritymanagementisthecontrolormanagementof
change.Changeinasecureenvironmentcanintroduceloopholes,overlaps,
missingobjects,andoversightsthatcanleadtonewvulnerabilities.Theonly
waytomaintainsecurityinthefaceofchangeistosystematicallymanage
change.Thisusuallyinvolvesextensiveplanning,testing,logging,auditing,and
monitoringofactivitiesrelatedtosecuritycontrolsandmechanisms.The
recordsofchangestoanenvironmentarethenusedtoidentifyagentsofchange,
whetherthoseagentsareobjects,subjects,programs,communicationpathways,or
eventhenetworkitself.
Thegoalofchangemanagementistoensurethatanychangedoesnotleadto
reducedorcompromisedsecurity.Changemanagementisalsoresponsiblefor
makingitpossibletorollbackanychangetoaprevioussecuredstate.Change
managementcanbeimplementedonanysystemdespitethelevelofsecurity.
Ultimately,changemanagementimprovesthesecurityofanenvironmentby
protectingimplementedsecurityfromunintentional,tangential,oraffected
diminishments.Althoughanimportantgoalofchangemanagementistoprevent
unwantedreductionsinsecurity,itsprimarypurposeistomakeallchanges
subjecttodetaileddocumentationandauditingandthusabletobereviewed
andscrutinizedbymanagement.
Change Control/Management
Changemanagementshouldbeusedtooverseealterationstoeveryaspectofa
system,includinghardwareconfigurationandOSandapplicationsoftware.
Changemanagementshouldbeincludedindesign,development,testing,
evaluation,implementation,distribution,evolution,growth,ongoing
operation,andmodification.Itrequiresadetailedinventoryofeverycomponent
andconfiguration.Italsorequiresthecollectionandmaintenanceofcomplete
documentationforeverysystemcomponent,fromhardwaretosoftwareandfrom
configurationsettingstosecurityfeatures.
Changemanagementshouldbeusedtooverseealterationstoeveryaspectofa
system,includinghardwareconfigurationandOSandapplicationsoftware.
Changemanagementshouldbeincludedindesign,development,testing,
evaluation,implementation,distribution,evolution,growth,ongoing
operation,andmodification.Itrequiresadetailedinventoryofeverycomponent
andconfiguration.Italsorequiresthecollectionandmaintenanceofcomplete
documentationforeverysystemcomponent,fromhardwaretosoftwareandfrom
configurationsettingstosecurityfeatures.
Change Control/Management
The change control process of configuration or change management has several
goals or requirements:
•Implement changes in a monitored and orderly manner. Changes are
always controlled.
•A formalized testing process is includedto verify that a change produces
expected results.
•All changes can be reversed.
•Users are informed of changes before they occurto prevent loss of
productivity.
•The effects of changes are systematically analyzed.
•The negative impact of changes on capabilities, functionality, and
performance is minimized.
The change control process of configuration or change management has several
goals or requirements:
•Implement changes in a monitored and orderly manner. Changes are
always controlled.
•A formalized testing process is includedto verify that a change produces
expected results.
•All changes can be reversed.
•Users are informed of changes before they occurto prevent loss of
productivity.
•The effects of changes are systematically analyzed.
•The negative impact of changes on capabilities, functionality, and
performance is minimized.
Change Control/Management
Oneexampleofachangemanagementprocessisaparallelrun,whichisatypeof
newsystemdeploymenttestingwherethenewsystemandtheoldsystemare
runinparallel.Eachmajororsignificantuserprocessisperformedoneach
systemsimultaneouslytoensurethatthenewsystemsupportsallrequiredbusiness
functionalitythattheoldsystemsupportedorprovided.
Oneexampleofachangemanagementprocessisaparallelrun,whichisatypeof
newsystemdeploymenttestingwherethenewsystemandtheoldsystemare
runinparallel.Eachmajororsignificantuserprocessisperformedoneach
systemsimultaneouslytoensurethatthenewsystemsupportsallrequiredbusiness
functionalitythattheoldsystemsupportedorprovided.
Data Classification
Dataclassificationistheprimarymeansbywhichdataisprotectedbasedonits
needforsecrecy,sensitivity,orconfidentiality.Itisinefficienttotreatalldatathe
samewhendesigningandimplementingasecuritysystembecausesomedataitems
needmoresecuritythanothers.Securingeverythingatalowsecuritylevelmeans
sensitivedataiseasilyaccessible.Securingeverythingatahighsecuritylevelis
tooexpensiveandrestrictsaccesstounclassified,noncriticaldata.Data
classificationisusedtodeterminehowmucheffort,money,andresourcesare
allocatedtoprotectthedataandcontrolaccesstoit.
Theprimaryobjectiveofdataclassificationschemesistoformalizeandstratifythe
processofsecuringdatabasedonassignedlabelsofimportanceandsensitivity.
Dataclassificationisusedtoprovidesecuritymechanismsforstoring,
processing,andtransferringdata.Italsoaddresseshowdataisremovedfroma
systemanddestroyed
Dataclassificationistheprimarymeansbywhichdataisprotectedbasedonits
needforsecrecy,sensitivity,orconfidentiality.Itisinefficienttotreatalldatathe
samewhendesigningandimplementingasecuritysystembecausesomedataitems
needmoresecuritythanothers.Securingeverythingatalowsecuritylevelmeans
sensitivedataiseasilyaccessible.Securingeverythingatahighsecuritylevelis
tooexpensiveandrestrictsaccesstounclassified,noncriticaldata.Data
classificationisusedtodeterminehowmucheffort,money,andresourcesare
allocatedtoprotectthedataandcontrolaccesstoit.
Theprimaryobjectiveofdataclassificationschemesistoformalizeandstratifythe
processofsecuringdatabasedonassignedlabelsofimportanceandsensitivity.
Dataclassificationisusedtoprovidesecuritymechanismsforstoring,
processing,andtransferringdata.Italsoaddresseshowdataisremovedfroma
systemanddestroyed
Data Classification
The following are benefits of using a data classification scheme:
•Itdemonstratesanorganization’scommitmenttoprotectingvaluable
resourcesandassets.
•Itassistsinidentifyingthoseassetsthataremostcriticalorvaluabletothe
organization.
•Itlendscredencetotheselectionofprotectionmechanisms.
•Itisoftenrequiredforregulatorycomplianceorlegalrestrictions.
•Ithelpstodefineaccesslevels,typesofauthorizeduses,andparametersfor
declassification,and/ordestructionofnolongervaluableresources.
The following are benefits of using a data classification scheme:
•Itdemonstratesanorganization’scommitmenttoprotectingvaluable
resourcesandassets.
•Itassistsinidentifyingthoseassetsthataremostcriticalorvaluabletothe
organization.
•Itlendscredencetotheselectionofprotectionmechanisms.
•Itisoftenrequiredforregulatorycomplianceorlegalrestrictions.
•Ithelpstodefineaccesslevels,typesofauthorizeduses,andparametersfor
declassification,and/ordestructionofnolongervaluableresources.
Data Classification
Thecriteriabywhichdataisclassifiedvarybasedontheorganization
performingtheclassification.However,youcangleannumerousgeneralities
fromcommonorstandardizedclassificationsystems:
•Usefulnessof the data
•Timelinessof the data
•Valueor costof the data
•Maturityor ageof the data
•Lifetimeof the data (or when it expires)
•Associationwith personnel
•Data disclosure damage assessment(that is, how the disclosure of the data
would affect the organization)
•Data modification damage assessment(that is, how the modification of the
data would affect the organization)
•National security implicationsof the data
•Authorized access to the data(that is, who has access to the data)
•Restriction from the data(that is, who is restricted from the data)
•Maintenance and monitoringof the data (that is, who should maintain and
monitor the data)
•Storageof the data
Thecriteriabywhichdataisclassifiedvarybasedontheorganization
performingtheclassification.However,youcangleannumerousgeneralities
fromcommonorstandardizedclassificationsystems:
•Usefulnessof the data
•Timelinessof the data
•Valueor costof the data
•Maturityor ageof the data
•Lifetimeof the data (or when it expires)
•Associationwith personnel
•Data disclosure damage assessment(that is, how the disclosure of the data
would affect the organization)
•Data modification damage assessment(that is, how the modification of the
data would affect the organization)
•National security implicationsof the data
•Authorized access to the data(that is, who has access to the data)
•Restriction from the data(that is, who is restricted from the data)
•Maintenance and monitoringof the data (that is, who should maintain and
monitor the data)
•Storageof the data
Data Classification
Usingwhatevercriteriaisappropriatefortheorganization,dataisevaluated,andan
appropriatedataclassificationlabelisassignedtoit.Insomecases,thelabelis
addedtothedataobject.Inothercases,labelingissimplyassignedbythe
placementofthedataintoastoragemechanismorbehindasecurityprotection
mechanism.Toimplementaclassificationscheme,youmustperformsevenmajor
stepsorphases:
•Identifythecustodian,anddefinetheirresponsibilities.
•Specifytheevaluationcriteriaofhowtheinformationwillbeclassifiedand
labeled.
•Classifyandlabeleachresource.(Theownerconductsthisstep,buta
supervisorshouldreviewit.)
•Documentanyexceptionstotheclassificationpolicythatarediscovered,and
integratethemintotheevaluationcriteria.
•Selectthesecuritycontrolsthatwillbeappliedtoeachclassificationlevelto
providethenecessarylevelofprotection.
•Specifytheproceduresfordeclassifyingresourcesandtheproceduresfor
transferringcustodyofaresourcetoanexternalentity.
•Createanenterprisewideawarenessprogramtoinstructallpersonnelabout
theclassificationsystem.
Usingwhatevercriteriaisappropriatefortheorganization,dataisevaluated,andan
appropriatedataclassificationlabelisassignedtoit.Insomecases,thelabelis
addedtothedataobject.Inothercases,labelingissimplyassignedbythe
placementofthedataintoastoragemechanismorbehindasecurityprotection
mechanism.Toimplementaclassificationscheme,youmustperformsevenmajor
stepsorphases:
•Identifythecustodian,anddefinetheirresponsibilities.
•Specifytheevaluationcriteriaofhowtheinformationwillbeclassifiedand
labeled.
•Classifyandlabeleachresource.(Theownerconductsthisstep,buta
supervisorshouldreviewit.)
•Documentanyexceptionstotheclassificationpolicythatarediscovered,and
integratethemintotheevaluationcriteria.
•Selectthesecuritycontrolsthatwillbeappliedtoeachclassificationlevelto
providethenecessarylevelofprotection.
•Specifytheproceduresfordeclassifyingresourcesandtheproceduresfor
transferringcustodyofaresourcetoanexternalentity.
•Createanenterprisewideawarenessprogramtoinstructallpersonnelabout
theclassificationsystem.
Data Classification
Declassificationisoftenoverlookedwhendesigningaclassificationsystemand
documentingtheusageprocedures.Declassificationisrequiredonceanassetno
longerwarrantsorneedstheprotectionofitscurrentlyassignedclassificationor
sensitivitylevel.Inotherwords,iftheassetwerenew,itwouldbeassignedalower
sensitivitylabelthanitcurrentlyisassigned.Whenassetsfailtobedeclassifiedas
needed,securityresourcesarewasted,andthevalueandprotectionofthehigher
sensitivitylevelsisdegraded.
Declassificationisoftenoverlookedwhendesigningaclassificationsystemand
documentingtheusageprocedures.Declassificationisrequiredonceanassetno
longerwarrantsorneedstheprotectionofitscurrentlyassignedclassificationor
sensitivitylevel.Inotherwords,iftheassetwerenew,itwouldbeassignedalower
sensitivitylabelthanitcurrentlyisassigned.Whenassetsfailtobedeclassifiedas
needed,securityresourcesarewasted,andthevalueandprotectionofthehigher
sensitivitylevelsisdegraded.
Data Classification
Thetwocommonclassificationschemesaregovernment/militaryclassification
andcommercialbusiness/privatesectorclassification.
Therearefivelevelsofgovernment/militaryclassification(listedherefrom
highesttolowest):
TopsecretThehighestlevelofclassification.Theunauthorizeddisclosureoftop-
secretdatawillhavedrasticeffectsandcausegravedamagetonationalsecurity.
SecretUsedfordataofarestrictednature.Theunauthorizeddisclosureofdata
classifiedassecretwillhavesignificanteffectsandcausecriticaldamageto
nationalsecurity.
ConfidentialUsedfordataofaconfidentialnature.Theunauthorizeddisclosureof
dataclassifiedasconfidentialwillhavenoticeableeffectsandcauseserious
damagetonationalsecurity.Thisclassificationisusedforalldatabetweensecret
andsensitivebutunclassifiedclassifications.
SensitivebutunclassifiedUsedfordataofasensitiveorprivatenature,butthe
disclosureofthisdatawouldnotcausesignificantdamage.
UnclassifiedThelowestlevelofclassification.Thisisusedfordatathatisneither
sensitivenorclassified.Thedisclosureofunclassifieddatadoesnotcompromise
confidentialityorcauseanynoticeabledamage.
Thetwocommonclassificationschemesaregovernment/militaryclassification
andcommercialbusiness/privatesectorclassification.
Therearefivelevelsofgovernment/militaryclassification(listedherefrom
highesttolowest):
TopsecretThehighestlevelofclassification.Theunauthorizeddisclosureoftop-
secretdatawillhavedrasticeffectsandcausegravedamagetonationalsecurity.
SecretUsedfordataofarestrictednature.Theunauthorizeddisclosureofdata
classifiedassecretwillhavesignificanteffectsandcausecriticaldamageto
nationalsecurity.
ConfidentialUsedfordataofaconfidentialnature.Theunauthorizeddisclosureof
dataclassifiedasconfidentialwillhavenoticeableeffectsandcauseserious
damagetonationalsecurity.Thisclassificationisusedforalldatabetweensecret
andsensitivebutunclassifiedclassifications.
SensitivebutunclassifiedUsedfordataofasensitiveorprivatenature,butthe
disclosureofthisdatawouldnotcausesignificantdamage.
UnclassifiedThelowestlevelofclassification.Thisisusedfordatathatisneither
sensitivenorclassified.Thedisclosureofunclassifieddatadoesnotcompromise
confidentialityorcauseanynoticeabledamage.
Data Classification
Theclassificationsofconfidential,secret,andtopsecretarecollectivelyknown
orlabeledasclassified.Often,revealingtheactualclassificationofdatato
unauthorizedindividualsisaviolationofthatdata.Thus,thetermclassifiedis
generallyusedtorefertoanydatathatisrankedabovethesensitivebut
unclassifiedlevel.AllclassifieddataisexemptfromtheFreedomofInformation
Actaswellasmanyotherlawsandregulations.TheU.S.militaryclassification
schemeismostconcernedwiththesensitivityofdataandfocusesontheprotection
ofconfidentiality(thatis,thepreventionofdisclosure).Youcanroughlydefine
eachlevelorlabelofclassificationbythelevelofdamagethatwouldbecausedin
theeventofaconfidentialityviolation.Datafromthetop-secretlevelwould
causegravedamagetonationalsecurity,whiledatafromtheunclassifiedlevel
wouldnotcauseanyseriousdamagetonationalorlocalizedsecurity.
Theclassificationsofconfidential,secret,andtopsecretarecollectivelyknown
orlabeledasclassified.Often,revealingtheactualclassificationofdatato
unauthorizedindividualsisaviolationofthatdata.Thus,thetermclassifiedis
generallyusedtorefertoanydatathatisrankedabovethesensitivebut
unclassifiedlevel.AllclassifieddataisexemptfromtheFreedomofInformation
Actaswellasmanyotherlawsandregulations.TheU.S.militaryclassification
schemeismostconcernedwiththesensitivityofdataandfocusesontheprotection
ofconfidentiality(thatis,thepreventionofdisclosure).Youcanroughlydefine
eachlevelorlabelofclassificationbythelevelofdamagethatwouldbecausedin
theeventofaconfidentialityviolation.Datafromthetop-secretlevelwould
causegravedamagetonationalsecurity,whiledatafromtheunclassifiedlevel
wouldnotcauseanyseriousdamagetonationalorlocalizedsecurity.
Data Classification
Thefourlevelsofcommercialbusiness/privatesectorclassification(listed
highesttolowest)areasfollows:
ConfidentialThehighestlevelofclassification.Thisisusedfordatathatis
extremelysensitiveandforinternaluseonly.Asignificantnegativeimpactcould
occurforacompanyifconfidentialdataisdisclosed.Sometimesthelabel
proprietaryissubstitutedforconfidential.
PrivateUsedfordatathatisofaprivateorpersonalnatureandintendedfor
internaluseonly.Asignificantnegativeimpactcouldoccurforthecompanyor
individualsifprivatedataisdisclosed.
SensitiveUsedfordatathatismoreclassifiedthanpublicdata.Anegativeimpact
couldoccurforthecompanyifsensitivedataisdisclosed.
PublicThelowestlevelofclassification.Thisisusedforalldatathatdoesnotfitin
oneofthehigherclassifications.Itsdisclosuredoesnothaveaseriousnegative
impactontheorganization.
Thefourlevelsofcommercialbusiness/privatesectorclassification(listed
highesttolowest)areasfollows:
ConfidentialThehighestlevelofclassification.Thisisusedfordatathatis
extremelysensitiveandforinternaluseonly.Asignificantnegativeimpactcould
occurforacompanyifconfidentialdataisdisclosed.Sometimesthelabel
proprietaryissubstitutedforconfidential.
PrivateUsedfordatathatisofaprivateorpersonalnatureandintendedfor
internaluseonly.Asignificantnegativeimpactcouldoccurforthecompanyor
individualsifprivatedataisdisclosed.
SensitiveUsedfordatathatismoreclassifiedthanpublicdata.Anegativeimpact
couldoccurforthecompanyifsensitivedataisdisclosed.
PublicThelowestlevelofclassification.Thisisusedforalldatathatdoesnotfitin
oneofthehigherclassifications.Itsdisclosuredoesnothaveaseriousnegative
impactontheorganization.
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 18
- Slides 20
- Age 269 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views